forked from heimdal/heimdal
-
Notifications
You must be signed in to change notification settings - Fork 0
/
ChangeLog.2003
1795 lines (1115 loc) · 54.9 KB
/
ChangeLog.2003
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
2003-12-19 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/error_string.c: protect error_string with mutex
* lib/krb5/context.c: allocate and destroy mutex in krb5_context
* lib/krb5/krb5.h (krb5_context_data): add mutex for error_string
2003-12-18 Love Hörnquist Åstrand <lha@it.su.se>
* kuser/kinit.c: make -9 work again
2003-12-17 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/init_creds_pw.c: try handle ts preauth better, still
not good, but at least it work with older heimdal releases that
doesn't send back KRB5KDC_ERR_PREAUTH_REQUIRED when preauth was
sent
2003-12-16 Love Hörnquist Åstrand <lha@it.su.se>
* lib/hdb/hdb.asn1: remove enforce-transited-policy, its no longer
used
2003-12-11 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/pkinit.c (_krb5_pk_create_sign): fill in NULL as
parameters, required by CMS
2003-12-07 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/get_in_tkt_with_keytab.c (krb5_get_in_tkt_with_keytab):
avoid memory leak that snuck in when krb5_keytab_key_proc was
exported, pointed out by Panases Inc
* lib/krb5/keytab_file.c: do locking, found to be a problem for
Panasas Inc
* lib/krb5/fcache.c: internally export x{,un}lock and thus prefix
them with _krb5_
* lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): use
KRB5_AUTH_CONTEXT_DO_TIME if we want timestamp in forwarded
krb-cred
* lib/krb5/krb5_auth_context.3: some text about
krb5_auth_con_{add,remove}flags
* lib/krb5/auth_context.c: add krb5_auth_con_addflags and
krb5_auth_con_removeflags
2003-12-03 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/crypto.c (decrypt_internal_derived): move up padsize to
avoid memory leak
2003-12-02 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/crypto.c: require cipher-text to be padded to padsize
* lib/krb5/eai_to_heim_errno.c: EAI_ADDRFAMILY and EAI_NODATA is
deprecated in RFC3493
* lib/krb5/verify_krb5_conf.c (check_host): don't check for
EAI_NODATA, because its depricated in RFC3493 Pointed out by
Hajimu UMEMOTO <ume@mahoroba.org> on heimdal-discuss
2003-12-01 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/Makefile.am: move test_crypto to noinst_PROGRAMS
* lib/krb5/test_crypto.c: add --version,--help
* kuser/kinit.c (main): return the return value from simple_execvp
2003-11-26 Love Hörnquist Åstrand <lha@it.su.se>
* kuser/kinit.c: don't use PKINIT DH per default since its too
slow
* lib/krb5/pkinit.c: tweek to make pkinit work with the fact the
asn1_compile can't generate code for context tagless optionals
* kdc/pkinit.c: add support for KDC side of DH PKINIT
* lib/krb5/pkinit.c: clean up error handling, make enc-type work
again
2003-11-25 Love Hörnquist Åstrand <lha@it.su.se>
* kuser/kinit.c: add flag to make it work with pkinit dh
* lib/krb5/pkinit.c: make PKINIT DH support work
2003-11-24 Love Hörnquist Åstrand <lha@it.su.se>
* lib/hdb/Makefile.am (LDADD): link with LIB_dlopen
* kdc/pkinit.c: clean up
* lib/krb5/krb5.h: make pkinit_win2k_compatible into a flag field
* lib/krb5/pkinit.c: remove most compile depencies clean up
* kdc/pkinit.c: print an error and turn of pkinit if openssl
failed to load
* kdc/config.c: read pkinit (pki-mumble) configuration options
* kdc/kerberos5.c: add pkinit support
* kdc/kdc_locl.h: add prototypes for pkinit
* kdc/pkinit.c: PKINIT patch from Daniel Kouril and Petr Holub, I
removed the dependency on valicert asn1 parser, remove smartcard
and globus support (for now). Work to be done on this: DH support,
Globus support, Smartcard support, windows support (MS implements
-09 of the draft), make it conform to the new draft
* lib/krb5/pkinit.c: fix bugs, improve error reporting
2003-11-23 Love Hörnquist Åstrand <lha@it.su.se>
* kuser/kinit.c: add some "struct foo;" glue for pkinit
structures that isn't used
* lib/krb5/pkinit.c: clean up, make remove depenency on openssl's
api
* lib/krb5/krb5_locl.h: add some glue for pkinit add reference
counter to _krb5_get_init_creds_opt_private
* lib/krb5/init_creds.c: reference count krb5_get_init_creds_opt
private component to avoid copy all the data in it
* lib/krb5/crypto.c (AES_string_to_key): fix memory leak
* lib/krb5/init_creds_pw.c (init_cred_loop): fix memory leak
* lib/krb5/heim_threads.h: include pthread.h in the pthread case
2003-11-18 Love Hörnquist Åstrand <lha@it.su.se>
* kpasswd/kpasswdd.c (main): parse kdc.conf
From: Jeffrey Hutzelman <jhutz@cmu.edu>
2003-11-15 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/Makefile.am (TESTS): add test_crypto
* lib/krb5/test_crypto.c: time crypto operations
2003-11-14 Love Hörnquist Åstrand <lha@it.su.se>
* doc/init-creds: spelling, Bruno Rohee <bruno@rohee.com>
2003-11-09 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/rd_req.c (krb5_verify_ap_req2): krb5_free_ticket free
the ticket now, rewrite error handling to handle that
* kpasswd/kpasswdd.c (process): don't free ticket,
krb5_free_ticket does that now
* kdc/kerberos5.c (tgs_rep2): don't free ticket, krb5_free_ticket
does that now
* lib/krb5/ticket.c (krb5_free_ticket): free the ticket itself to
match mit behavior, pointed out by Derrick Brashear
* lib/krb5/krb5_ticket.3: krb5_free_ticket free the whole ticket
2003-11-08 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/padata.c: add krb5_padata_add
* lib/krb5/krb5.h: krb5_context_data.pkinit_win2k_compatible
* lib/krb5/Makefile.am: add pkinit.c
* kuser/kinit.c: add pkinit support
* lib/krb5/init_creds_pw.c: add support for pkinit
* lib/krb5/krb5_locl.h: add the opaque krb5_pk_init_ctx to
_krb5_get_init_creds_opt_private
* lib/krb5/pkinit.c: rename krb5_pk_init_openssl_ctx to
krb5_pk_init_ctx fix win2k error handling
* lib/krb5/pkinit.c: PKINIT patch from Daniel Kouril and Petr
Holub, I removed the dependency on valicert asn1 parser, remove
smartcard and globus support (for now). Work to be done on this:
DH support, Globus support, Smartcard support, windows support (MS
implements -09 of the draft), verify that it conforms the new
draft
2003-11-07 Love Hörnquist Åstrand <lha@it.su.se>
* lib/asn1/der_copy.c (copy_oid): copy all components
2003-10-27 Johan Danielsson <joda@pdc.kth.se>
* lib/krb5/krb5.conf.5: document capaths section
2003-10-22 Johan Danielsson <joda@pdc.kth.se>
* kdc/kerberos5.c: make sure that the server realm and the krbtgt
second component are identical; get rpath from the capaths section
* kdc/kerberos5.c: change logic for when to check transited policy
to a tri-state model involving per principal flags (to be
implemented)
* kdc/kdc_locl.h: change enforce_transited_policy to a tri-state
variable
* kdc/config.c: change enforce_transited_policy to a tri-state
variable
2003-10-22 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/transited.c (krb5_domain_x500_encode): always zero out
encoding to make sure it have a defined value on failure
* lib/krb5/transited.c (krb5_domain_x500_encode):
if num_realms ==0, set encoding and return (avoids malloc(0)),
check return value for malloc
2003-10-21 Johan Danielsson <joda@pdc.kth.se>
* kdc/kerberos5.c (fix_transited_encoding): always print
cross-realm information
2003-10-21 Love Hörnquist Åstrand <lha@it.su.se>
* doc/setup.texi: spelling, From: Tracy Di Marco White
* kdc/kerberos5.c (fix_transited_encoding): set transited type
2003-10-21 Johan Danielsson <joda@pdc.kth.se>
* kdc/kdc.8: document enforce-transited-policy
* kdc/kerberos5.c: always check transited policy if flag set
either globally or on principal
* kdc/config.c: add flag to always check transited policy
* lib/hdb/hdb.asn1: add flag to enforce transited policy
2003-10-21 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/transited.c (krb5_domain_x500_decode): set *num_realms
to zero not num_realms
* kuser/kgetcred.1: add --no-transit-check
* kuser/kgetcred.c: add --no-transit-check
* doc/setup.texi: describe Transit policy
2003-10-20 Johan Danielsson <joda@pdc.kth.se>
* kdc/kerberos5.c (fix_transited_encoding): also verify with
policy, unless asked not to
* lib/krb5/rd_req.c (krb5_decrypt_ticket): try to verify transited
realms, unless the transited-policy-checked flag is set
* lib/krb5/transited.c (krb5_domain_x500_decode): handle zero
length tr data;
(krb5_check_transited): new function that does more useful stuff
* lib/krb5/get_cred.c: get capath info from [capaths] section
2003-10-16 Johan Danielsson <joda@pdc.kth.se>
* lib/krb5/fcache.c: Sleep forever waiting for lock. Previous
method doesn't work well with a large number of clients accessing
the cache at the same time, and there is no simple way to add a
timeout to the lock.
2003-10-13 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/verify_krb5_conf.c: print the error value
krb5_init_context failed with
* lib/krb5/config_file.c (krb5_config_parse_file_debug): punt if
there is binding before a section declaration. Bug found by
Arkadiusz Miskiewicz <arekm@pld-linux.org>
2003-10-13 Johan Danielsson <joda@pdc.kth.se>
* lib/krb5/fcache.c (erase_file): revert a change in previous; if
the ccache is a symlink, kdestroy should remove it
* lib/krb5/fcache.c: implement locking
2003-10-12 Johan Danielsson <joda@pdc.kth.se>
* kuser/klist.c (print_tickets): bail out if krb5_cc_next_cred
returns error other than KRB5_CC_END
2003-10-07 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/init_creds_pw.c: add some help function that is common
between ENC_TS and SAM2, free the etype{,2}-infos on failure, move
the pa counter into krb5_get_init_creds_ctx
2003-10-06 Love Hörnquist Åstrand <lha@it.su.se>
* kdc/kaserver.c (do_getticket): if times data is shorter then 8
byte, request is malformed.
* kdc/kaserver.c (do_authenticate): if request length is less then
8 byte, its a bad request and fail. Pointed out by Marco Foglia
<marco@foglia.org>
* lib/krb5/verify_krb5_conf.c: add flag --warn-mit-syntax that
warns for mit syntax is used and just ignore the mit syntax when
its used
* lib/krb5/verify_krb5_conf.c: parse [kdc]use_2b and [gssapi]
2003-10-04 Love Hörnquist Åstrand <lha@it.su.se>
* lib/asn1/lex.l: add BOOLEAN
* lib/asn1/parse.y: add BOOLEAN
2003-10-03 Love Hörnquist Åstrand <lha@it.su.se>
* kuser/kinit.c: When running kinit in "fork mode" do pagsh
independent of krb4, also always do krb4 setup of cc. Always try
to destroy the v4 cc.
- add boolean --{,no-}request-pac that will request pac or not
* kuser/klist.c (check_for_tgt): set client as part of the
pattern/match cred
* lib/krb5/convert_creds.c (_krb5_krb_dest_tkt): unlink v4 token
(get_krb4_cc_name): move out from _krb5_krb_tf_setup
(_krb5_krb_tf_setup): adapt to allocated filename instead of
static filename
* lib/krb5/krb5-v4compat.h: add _krb5_krb_dest_tkt and TKT_ROOT
* lib/krb5/init_creds_pw.c (*) send PA_PAC_REQUEST when the user
have requested either use PAC or not use PAC, if the option not
set from the user, leave it up to the kdc to decide.
(init_creds_loop): clear error string on success
* lib/krb5/init_creds.c: add
krb5_get_init_creds_opt_set_paq_request break out common part of
extended opt functions to require_ext_opt
* lib/krb5/krb5_locl.h: add enum krb5_get_init_creds_req_pac and
use it in struct _krb5_get_init_creds_opt_private
* tools/kdc-log-analyze.pl: handle some more failure lines
* doc/programming.texi: some diffrences between Heimdal and MIT
Kerberos in the API
* doc/setup.texi: add Setting up DNS
* lib/krb5/rd_req.c (krb5_rd_req): always free keyblock since its
alway used
* lib/asn1/Makefile.am: add SAM types and PAC_REQUEST
* lib/asn1/k5.asn1: add more preauth types, add PA-PAC-REQUEST
* lib/asn1: add boolean support
2003-10-02 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/changepw.c (setpw_send_request): free ap_req_data on
failure
2003-09-30 Love Hörnquist Åstrand <lha@it.su.se>
* appl/test/http_client.c (do_connect): use ai_protocol 0
* lib/krb5/init_creds_pw.c (init_cred_loop): handle
KRB5KRB_ERR_RESPONSE_TOO_BIG and loop again, this time requesting
LARGE_MSG from send to kdc, and if this is the second time bail
out; try to free memory
* lib/krb5/send_to_kdc.c (krb5_sendto_kdc_flags): new function,
and then implement the order krb5_sendto_kdc* function with this
function.
* lib/krb5/krbhst.c (krb5_krbhst_init_flags): new function, use it
and adapt callers
(krbhst_get_default_proto): new function, returns udp, or in case
large_msg was requested for the krb5_krbhst_data, use tcp.
(*): if the flag KD_LARGE_MSG was set on the krb5_krbhst_data, avoid
using udp, use krbhst_get_default_proto
* lib/krb5/krb5.h: flags for krb5_krbhst_init_flags (and
krb5_send_to_kdc_flags)
2003-09-23 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/rd_req.c (krb5_rd_req): if we have a keyblock in auth
context, use that
* appl/test/uu_client.c: print authorization data if there are any
* lib/asn1/asn1_print.c: decode IA5Stringa and UTF8String
2003-09-21 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/init_creds_pw.c: use _krb5_get_init_creds_opt_copy
* lib/krb5/init_creds.c: don't export krb5_get_init_creds_opt_copy
* lib/hdb/Makefile.am: libhdb might depend on LIB_dlopen
* kuser/kinit.c: don't get v4 tickets by default
2003-09-20 Love Hörnquist Åstrand <lha@it.su.se>
* kpasswd/kpasswdd.c (process): remove a abort()
* doc/win2k.texi: add some text about netdom.exe and trusts
* TODO-1.0: gssapi rc4 done
* kpasswd/kpasswdd.c: add support for Set password protocol as
defined by RFC3244 -- Microsoft Windows 2000 Kerberos Change
Password and Set Password Protocols
2003-09-19 Love Hörnquist Åstrand <lha@it.su.se>
* lib/hdb/db3.c: improve readability of ->open ifdef, check if
version >= 4.1
* lib/krb5/init_creds.c (krb5_get_init_creds_opt_copy): add
* lib/krb5/rd_req.c (krb5_rd_req): allow caller to pass in a key
in the auth_context, they way processes that doesn't use the
keytab can still pass in the key of the service (matches behavior
of MIT Kerberos).
2003-09-18 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/init_creds_pw.c: collect all init_creds context into a
structure so it can easier be passed around, also, while here,
change nonce for every request
* lib/krb5/get_in_tkt.c (init_as_req): don't realloc data before
the loop, add_padata() will handle that itself
* lib/krb5/get_for_creds.c (add_addrs): don't increase addr->len
until in contains interesting data, use right iteration counter
when clearing the addresses
* lib/krb5/log.c (log_realloc): increase len after realloc returns
sucessfully
2003-09-12 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/config_file.c: fix prototypes
From: Fredrik Ljungberg <flag@pobox.se>
2003-09-10 Love Hörnquist Åstrand <lha@it.su.se>
* appl/test/http_client.c: close socket when we are done, don't
allow the server to restart gssapi negotiation
* lib/hdb/hdb_locl.h: include <limits.h> for ULONG_MAX noted by
Wissler Magnus <M.Wissler@abalon.se> on heimdal-discuss
* appl/test/gssapi_client.c (proto): use select_mech
* appl/test/http_client.c: use getarg
* appl/test/gss_common.h: prototype for select_mech
* appl/test/gss_common.c (select_mech): return the gss_OID from a
mech name
* appl/test/http_client.c: print both source and target
* appl/test/Makefile.am: build http_client
2003-09-09 Love Hörnquist Åstrand <lha@it.su.se>
* lib/asn1/asn1_print.c: add support for printing Enumerated
* appl/test/gssapi_client.c: allow user to select mech; krb5,
spnego, and no-oid
* appl/test/test_locl.h: add mech
* appl/test/common.c: add --mech,-m argument
* appl/test/gssapi_server.c: print the mech that was used
* kdc/kerberos5.c (only_older_enctype_p): check request if the
client only supports old enctypes, before it used the database
2003-09-08 Love Hörnquist Åstrand <lha@it.su.se>
* **/*.c: add context argument to krb5_get_init_creds_opt_alloc
* lib/krb5/init_creds.c (krb5_get_init_creds_opt_alloc): add
context argument
* lib/krb5/krb5_get_init_creds.3: spelling
2003-09-04 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/context.c (add_file): make len argument an pointer to
an integer
* lib/asn1/k5.asn1: add SAM types
* lib/krb5/init_creds_pw.c: break out the encrypt timestamp
preauth to its function break out the pa_data_to_key_plain to its
own function make more variables const
2003-09-04 Johan Danielsson <joda@pdc.kth.se>
* lib/krb5/krb5.conf.5: document appdefaults/{forward,encrypt}
2003-09-03 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/krb5.h: Add key usage for encryption of the
SAM-NONCE-OR-SAD field.
* include/make_crypto.c: include <openssl/ui.h> in the openssl
case
* kdc/hprop.h: use new DES_ api
* lib/krb5/krb5-v4compat.h: assume session key is a char array of
length 8
* lib/krb5/prompter_posix.c:
s/des_read_pw_string/UI_UTIL_read_pw_string/
* kuser/kinit.c: s/des_read_pw_string/UI_UTIL_read_pw_string/
* kdc/string2key.c: s/des_read_pw_string/UI_UTIL_read_pw_string/
* kdc/kstash.c: s/des_read_pw_string/UI_UTIL_read_pw_string/
* admin/add.c: s/des_read_pw_string/UI_UTIL_read_pw_string/
* lib/krb5/crypto.c: switch from the des_ to the DES_ api
* kdc/hprop.c: use DES_KEY_SZ instead of sizeof(des_block)
* kuser/kverify.c: use
krb5_get_init_creds_opt_alloc/krb5_get_init_creds_opt_free
* kpasswd/kpasswd-generator.c: use
krb5_get_init_creds_opt_alloc/krb5_get_init_creds_opt_free
* kdc/hprop.c: use
krb5_get_init_creds_opt_alloc/krb5_get_init_creds_opt_free compare
a uint32_t with 0xffffffff instead of -1
* lib/krb5/krb5_425_conv_principal.3: fix [Gt]
* kuser/kinit.c: use
krb5_get_init_creds_opt_alloc/krb5_get_init_creds_opt_free
* lib/krb5/init_creds_pw.c (krb5_get_init_creds_password): handle
password passed in though context
* lib/krb5/Makefile.am (TESTS): += test_config
* lib/krb5/aes-test.c: move variable thats used within a #ifdef to
be defined within that #ifdef
* lib/krb5/data.c (krb5_data_free): reset whole krb5_data when
freeing it
* lib/krb5/keyblock.c (krb5_keyblock_zero): new function, zeros
out a keyblock
* lib/krb5/init_creds_pw.c: rewrite/implement
krb5_get_init_creds_password with new preauth handing, still it
can only work with krb5-pa-enc-timestamp for preauth, but now it
can handle etype-info2
* lib/krb5/init_creds.c (krb5_get_init_creds_opt_alloc): allocate
a opt structure
(krb5_get_init_creds_opt_free): free a opt structure
(krb5_get_init_creds_opt_set_pa_password): set preauth info for
enc-timestamp
* lib/krb5/krb5_locl.h: add struct
_krb5_get_init_creds_opt_private
2003-09-02 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/krb5.h: add SAM keyusage numbers, add s2k proc typedef,
add a pointer to a private part of krb5_get_init_creds_opt
* kdc/string2key.c (main): avoid const warning by using a extra
variable
2003-08-31 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/ticket.c (krb5_ticket_get_authorization_data_type):
reindent
* lib/krb5/ticket.c (krb5_copy_ticket): free all data when
failing, copy data to right memory, the later pointed out by Luke
Howard.
2003-08-30 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/krb5.h: cfx-01 use diffrent usage numbers
2003-08-29 Love Hörnquist Åstrand <lha@it.su.se>
* lib/hdb/db3.c: try to include more db headers
* lib/hdb/db3.c: patch for working with DB4 on heimdal-discuss
From: Luke Howard <lukeh@PADL.COM>
2003-08-28 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/krb5.h: add KEYTYPE_ARCFOUR_56
* appl/test/gssapi_client.c: send both INT and CONF wrapped token
* appl/test/gssapi_server.c: recv both INT and CONF wrapped token
* lib/asn1/k5.asn1: add KRB5_NT_SMTP_NAME and KRB5_NT_ENTERPRISE
2003-08-27 Love Hörnquist Åstrand <lha@it.su.se>
* appl/test/uu_client.c (proto): fill in client in the match cred
2003-08-26 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/krb5.h: CFX uses slightly diffrent usage numbers
* lib/krb5/crypto.c (usage2arcfour): simplify, only include
special cases From: Luke Howard <lukeh@PADL.COM>
2003-08-25 Love Hörnquist Åstrand <lha@it.su.se>
* lib/hdb/hdb-ldap.c: code rewrite from Luke Howard
<lukeh@PADL.COM>
* lib/krb5/crypto.c (arcfour_checksum_p): return true when is
arcfour, not when its not pointed out by Luke Howard
* doc/ack.texi: update Luke Howard email address
2003-08-24 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/krb5_encrypt.3: document:
krb5_crypto_getconfoundersize, krb5_crypto_getblocksize
krb5_crypto_getenctype, krb5_crypto_getpadsize
* lib/krb5/crypto.c (krb5_crypto_getpadsize,
krb5_crypto_getconfoundersize): added From: Luke Howard
<lukeh@PADL.COM>
2003-08-23 Love Hörnquist Åstrand <lha@it.su.se>
* kdc/connect.c (handle_tcp): handle recvfrom returning 0
(connection closed)
* kdc/connect.c (grow_descr): increment the size after we succeed
to allocate the space
* lib/krb5/krb5_create_checksum.3: text about when
krb5_crypto_get_checksum_type is useful
* lib/krb5/crypto.c (krb5_crypto_get_checksum_type): fix format
string
* lib/krb5/krb5_create_checksum.3: document
krb5_crypto_get_checksum_type
* lib/krb5/crypto.c: add krb5_crypto_get_checksum_type
From: Luke Howard <lukeh@PADL.COM>
* lib/asn1/gen.c: s/UTF8String/heim_utf8_string/ in generated code
From: Luke Howard <lukeh@PADL.COM>
2003-08-21 Love Hörnquist Åstrand <lha@it.su.se>
* include/make_crypto.c: include aes.h inc in the local libdes
case too
2003-08-20 Johan Danielsson <joda@pdc.kth.se>
* lib/asn1/der_free.c: set free'd poiners to NULL
* lib/asn1/gen_free.c: set free'd poiners to NULL
2003-08-20 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/heim_threads.h: XXX don't use "plain" pthread support
on netbsd
* lib/krb5/crypto.c: Do the arcfour checksum mapping for
krb5_create_checksum and krb5_verify_checksum, From: Luke Howard
<lukeh@PADL.COM>
2003-08-18 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/test_config.c: check krb5_prepend_config_files_default
and krb5_prepend_config_files
* lib/krb5/context.c: add krb5_prepend_config_files and
krb5_prepend_config_files_default
2003-08-17 Love Hörnquist Åstrand <lha@it.su.se>
* lib/hdb/mkey.c (read_master_mit): krb5_ret_int16 takes a int16_t
as argument
* lib/krb5/parse-name-test.c: please lint (and me)
* kdc/config.c (configure): remove only set variable 'e'
* kdc/connect.c (init_socket): sockaddr size argument to
krb5_addr2sockaddr is a krb5_addr2sockaddr *
* kdc/kerberos5.c (as_rep): remove usused variable
(tgs_rep2): don't use a temporary ret-variable, ret is reset later
* lib/krb5/krb5_get_in_cred.3: these function will be deprecated
* lib/krb5/Makefile.am: man_MANS += krb5_get_init_creds.3
* lib/krb5/krb5_get_init_creds.3: begining of documentation of
krb5_get_init_creds
* lib/krb5/get_in_tkt.c (krb5_get_in_tkt): for compatibility with
with the mit implemtation, don't free `creds' argument when done,
its up the the caller to do that, also allow a NULL ccache.
2003-08-16 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/krb5.conf.5: document tgs_require_subkey
* lib/asn1/Makefile.am: remove trance of generate tests files, its
not really for consumption yet
* lib/hdb/Makefile.am: split generated source from non generated
source we make-proto.pl can generate prototypes for non
generate-source only (make-proto.pl dies on asn1compile's .c
files)
* lib/krb5/get_cred.c (init_tgs_req): make generation of subkey
optional on configuration parameter
[realms]realm={tgs_require_subkey=bool}
defaults to off. The RFC1510 weakly defines the correct behavior,
so old DCE secd apparently required the subkey to be there, and MS
will use it when its there. But the request isn't encrypted in the
subkey, so you get to choose if you want to talk to a MS mdc or a
old DCE secd.
* kdc/kerberos5.c (*): handle krb5_unparse_name returning non-zero
2003-08-15 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/principal.c (unparse_name): len can't be zero, so,
don't check for that
2003-08-13 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/principal.c (unparse_name): make sure there are space
for a NUL, set *name to NULL when there is a failure (so caller
can't get hold of a freed pointer)
2003-07-26 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/kerberos.8: remove duplicate manual, from
cjep@netbsd.org
2003-07-25 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/cache.c: indent
* lib/krb5/cache.c (krb5_cc_set_default_name): only read
KRB5CCNAME when not suid
2003-07-24 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/keytab_krb4.c (read_v4_entry): the des key is 8 bytes,
use a char array instead of des_cblock
2003-07-23 Love Hörnquist Åstrand <lha@it.su.se>
* kdc/kerberos5.c: add support for KRB5_PADATA_ETYPE_INFO2
* lib/krb5/crypto.c (hmac): make it return an error when out of
memory, update callsites to either return error or use krb5_abortx
(krb5_hmac): expose hmac
2003-07-22 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/keyblock.c (krb5_keyblock_get_enctype): return enctype
of keyblock
* lib/krb5/Makefile.am (man_MANS): += krb5_keyblock.3
* lib/krb5/krb5_keyblock.3: some information about krb5_keyblock
and related functions
* lib/krb5/heim_threads.h: make the non-debug version of the mutex
macros "use" the "mutex" integer so the compile wont complain
about defined unused variables
* lib/krb5/heim_threads.h: make thread local storage macros take a
"return" argument so no functions need to be created for the
no-pthread case
* lib/krb5/heim_threads.h: adding RWLOCKS and [sg]etspecific
* configure.in: use KRB_PTHREADS
* lib/asn1/Makefile.am (gen_files): add asn1_KerberosString and
sort
* lib/asn1/k5.asn1 (ETYPE-INFO2-ENTRY): salt is a KerberosString
* lib/krb5/krb5.3: add ticket access functions
* lib/krb5/krb5_ticket.3: ditto
* lib/krb5/ticket.c: ditto
* lib/krb5/Makefile.am: ditto
* lib/krb5/mit_glue.c: add some more krb5_c functions
* lib/krb5/krb5_c_make_checksum.3: add some more krb5_c functions
* lib/krb5/crypto.c (krb5_cksumtype_valid): check is checksum type
is a valid one
* lib/krb5/crypto.c (krb5_checksum_is_keyed): only set extented
error string when there is a context
(krb5_checksum_is_collision_proof): ditto
2003-07-21 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/mit_glue.c (krb5_c_get_checksum): make type and data
argument optional
(krb5_c_{encrypt,decrypt}): return "better" error codes for
invalid ivec length
* lib/krb5/krb5_c_make_checksum.3: update krb5_c_get_checksum
usage
* lib/krb5/crypto.c (krb5_crypto_getenctype): new function
* include/make_crypto.c: avoid redefining
OPENSSL_DES_LIBDES_COMPATIBILITY
* lib/krb5/krb5.h: add krb5_enc_data
2003-07-19 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/krb5.3: add krb5_c_ functions
* lib/krb5/mit_glue.c: support passing in NULL as the
cipher_state/ivec
* lib/krb5/aes-test.c: add test for krb5_c_encrypt_length and
krb5_c_decrypt
* lib/krb5/krb5_c_make_checksum.3: krb5_c encryption glue
* lib/krb5/crypto.c (wrapped_length/wrapped_length_derived): when
calculating the length of the encrypted data, use the keyed
checksum length if the enctype supports a keyed checksum. This
only matter for aes, for all other enctypes the key and unkeyed
checksum have the same length.
2003-07-18 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/mit_glue.c: first version of krb5_c encryption glue
* doc/install.texi: update pointer to luke ldap documentation
* lib/hdb/hdb.c (hdb_create): check for dynamic backend after
static to avoid warning from dynamic backend when using a known
static backend
2003-07-16 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/cache.c: don't return value in void function
2003-07-15 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/creds.c (krb5_compare_creds): if client is specified in
the mcreds, check that too
* lib/krb5/{keytab_file.c,principal.c,mk_error.c,krb5.h,get_cred.c}:
prefix libasn1 types with heim_
* lib/asn1: prefix typedefs and structs with heim_
2003-07-13 Love Hörnquist Åstrand <lha@it.su.se>
* lib/hdb/hdb.c: avoid unnecessary setting of variable
2003-07-07 Love Hörnquist Åstrand <lha@it.su.se>
* kuser/klist.c (check_for_tgt): use krb5_cc_clear_mcred
* appl/test/uu_client.c (proto): use krb5_cc_clear_mcred
* lib/krb5/get_cred.c (init_tgs_req): in case of error, don't free
in the req_body addresses since they where pass in by caller
(find_cred): use krb5_cc_clear_mcred
* lib/krb5/krb5_ccache.3: document krb5_cc_clear_mcred
* lib/krb5/cache.c (krb5_cc_clear_mcred): new function, clear a
krb5_creds to use with krb5_cc_retrieve_cred
2003-06-30 Love Hörnquist Åstrand <lha@it.su.se>
* lib/hdb/hdb.c (find_dynamic_method): if there isn't a prefix,
don't load anything
2003-06-29 Love Hörnquist Åstrand <lha@it.su.se>
* lib/hdb/hdb.c: Dynamic backend loading, based on patch from Luke
Howard <lukeh@PADL.COM>
* lib/hdb/hdb.h: add struct hdb_so_method and
HDB_INTERFACE_VERSION
2003-06-28 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/mk_req_ext.c (krb5_mk_req_internal): when using
arcfour-hmac-md5, use an unkeyed checksum (rsa-md5), since
Microsoft calculates the keyed checksum with the subkey of the
authenticator.
* kuser/kinit.c: write out v4 credential caches with
_krb5_krb_tf_setup
* lib/krb5/krb5-v4compat.h: add _krb5_krb_tf_setup
* lib/krb5/convert_creds.c (_krb5_krb_tf_setup): create/append v4
credential to a new krb4 ticket file
2003-06-27 Johan Danielsson <joda@pdc.kth.se>
* lib/krb5/krb5_kuserok.3: put Nd argument in double quotes since
it contains more than 9 words; from wiz
2003-06-25 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/verify_krb5_conf.c: add missing " within #if 0, from
stefan sokoll <stefansokoll@yahoo.de>
2003-06-24 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/krb5_timeofday.3: improve krb5_set_real_time text
* lib/krb5/time.c: improve comment for krb5_set_real_time
2003-06-23 Johan Danielsson <joda@pdc.kth.se>
* kuser/kinit.1: document -A
* kuser/kinit.c: add -A as an alias for --no-addresses
2003-06-22 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): pass in a
krb5_timestamp to krb5_us_timeofday
* lib/krb5/mk_error.c (krb5_mk_error): pass in a krb5_timestamp to
krb5_us_timeofday
* lib/krb5/time.c (krb5_set_real_time): fix comment and make it
work
* lib/krb5/time.c, lib/krb5/krb5_timeofday.3,
lib/krb5/Makefile.am lib/krb5/test_time.c:
implement krb5_set_real_time, used by SAMBA, requested by Luke
Howard <lukeh@PADL.COM>
* lib/asn1/k5.asn1: make the aes and sha1 checksum types match
draft-ietf-krb-wg-crypto-05
2003-06-21 Love Hörnquist Åstrand <lha@it.su.se>
* lib/krb5/aes-test.c: add a test for aes kcrypto encrypted data
* lib/krb5/crypto.c: clean up AES code to use a structure instead